Paranoid Penguin - Secure Anonymous FTP with vsftpd

To keep your FTP site secure, stick to anonymous access only and run an FTP dæmon with minimal complexity.

Can you believe that in nearly four years of Paranoid Penguin columns,
I've never talked about how to configure FTP services? This month I
fix that, using my new favorite FTP server, Chris Evans' excellent
vsftpd (Very Secure FTP Dæmon). Because my space here is limited and the best use
of FTP is anonymous FTP, we focus on anonymous FTP. The FTP
protocol's use of clear-text authentication makes it a terrible choice
for anything but anonymous file transfer. But anonymous FTP is
still plenty useful.

vsftpd is increasingly popular and is
included with recent versions of Debian, SuSE, Fedora, Red Hat and other
Linux distributions. This inclusion probably is because vsftpd provides a unique
combination of security and convenience. It is easy to get up and
running in a hurry, without having to make ugly security-vs.-expedience
trade-offs.

Chris Evans created vsftpd with security as a
central design goal, and its track record so far
is impressive. In the nearly four years it's been
available, as of this writing, vsftpd has had zero
significant security vulnerabilities. Regardless
of whether that's still true by the time you read
this article, it speaks to vsftpd's excellent design
philosophy, which borrows from OpenBSD's “secure by
default, extra features disabled by default, minimal
complexity overall” motto.

How minimalist is vsftpd? Its entire source tree is just over 1MB in
size, fully uncompressed. The vsftpd executable itself is 80K.

Getting and Installing vsftpd

As I mentioned, vsftpd now is a standard package on many Linux
distributions. The usual advantages of binary packages apply: convenience,
easy patching and minimal impact on other system software. In Debian,
SuSE, Fedora and Red Hat, the package you need predictably is named
vsftpd. It has no particularly exotic dependencies. Most users
probably will be perfectly happy with their distribution's stock vsftpd
package.

If your distribution of choice doesn't provide a binary package for
vsftpd, or if you need a later version than the one your
distribution provides, compile vsftpd from its source
code tarball, which is available at vsftpd.beasts.org. The build
process is decidedly old school.
If you aren't already, become root.
Then, unpack the tarball and change your working directory to its root, like
this:

# tar -xf vsftpd-1.2.1.tar.gz; cd vsftpd-1.2.1

Next, enter the command make without arguments. If it succeeds, there
should be a vsftp executable in the current directory.
Make sure the user nobody exists; if it doesn't, create it.
vsftpd runs on this account.

Create the directory /usr/share/empty if it doesn't exist already. It
should be owned by root and be neither group- nor world-writable—it will be used as the default vsftpd chroot jail.

Create a home directory for the anonymous FTP user. SuSE conventionally
uses /srv/ftp, and other distributions use /var/ftp, but it can be
whatever you like. Again, this directory should be owned by root
and should not be writable by anyone else.

Create an anonymous FTP user account, such as
ftp, and make sure its home directory is set to
the one you created in the previous step. Your system
already may have such an account.
The anonymous ftp user should not be able to
write in its home directory, and it should never own
any files or directories.

Now you're ready to copy vsftpd and the vsftpd(8) and
vsftpd.conf(5) man pages into more useful locations, so enter the
command make install.
Manually copy the sample vsftpd.conf file into /etc.

If you want to run vsftpd as a standalone dæmon, create a startup
script for vsftpd in /etc/init.d. Otherwise, configure either inetd
or xinetd to start it up as needed (see the Standalone Dæmon
vs. inetd/xinetd section).

If you're running vsftpd as a standalone dæmon, enable the startup
script with chkconfig if you use an RPM-based Linux distribution
or with update-rc.d if you run Debian GNU/Linux.
Alternatively, if you install vsftpd from an RPM or deb package, all these
steps are executed automatically, with the probable exception of the
last one. Did I mention that binary packages are much more convenient?
Some distributions require manual intervention to enable newly installed
packages. For example, on my SuSE 9.0 system, although the SuSE vsftpd
RPM automatically installed /etc/init.d/vsftpd, I had to issue
the commands chkconfig --add vsftpd and
chkconfig --level
35 vsftpd on to enable the script.

vsftpd's Documentation

Before I begin a discussion of vsftpd that
focuses narrowly on running it as a standalone
dæmon serving up only anonymous FTP, I should point
out some valuable, much more complete, sources of
vsftpd documentation. First, vsftpd comes with an
EXAMPLE/ directory containing sample configurations
for a variety of FTP scenarios, including running
standalone, running with xinetd, serving anonymous
users only and serving local users.
If you installed vsftpd from source code, EXAMPLE is a subdirectory
of your vsftpd source code tarball. If
you installed vsftpd from a binary package, it's probably been
copied to your system somewhere under /user/share/doc. It is
/usr/share/doc/packages/vsftpd/EXAMPLE on SuSE systems.

As I mentioned in the previous section, vsftpd has man pages,
vsftpd(8) and vsftpd.conf(5). Finally, the default (sample)
vsftpd.conf file itself is well commented. It doesn't contain
all vsftpd options, but it does illustrate the most commonly used ones.
I've successfully gotten vstpd to work several times with only minimal
tweaking to the sample vsftpd.conf file.

Comment viewing options

I would like to setup a site where people can just click the installer that they want to download the automatically the prompt asking to open or save the file will appear.(no need for any username or email address) The installers are located in a linux server. I have already installed vsftpd the problem is I don't know how to configure my ftp to this setup.

Is it possible to have uploaded files have ownership set to the name of the user that uploaded them? For example, if user 'user1' uploads a file, the owner should be 'user1' instead of 'ftp' (the default). Additionally, if 'user2' logs in (and is placed in a different root directory - which I have working fine), the owner of files should be 'user2'. Is this easily possible (and within one vsftpd.conf)? Thank you.

1. Very good and detailed article about secure ftp
2. Problems:
When I tried to start "vsftpd &" on Redhat 4, I got the following error:
"./vsftpd: error while loading shared libraries: libssl.so.6: cannot open shared object file: No such file or directory"

Thanks Mick ,
It is a very nice article. I think it will help many in configuring
vsftpd in the correct way.
My query is regarding how to configure the server so that my server
support privileged ports. I have enabled the option

Yes you can, but with a separate package not related to vsftpd but to Linux. Check Red Hat for info. It is similar for all Linux versions.
It is not difficult but a bit laborious for the first setup. After that it's transparent.

hi i have established a vsftp server on my fedora core 3 m/c. now i want to have restriction on the ips that access my server. How could i set permission and access rights based on the ips of the systems.

I have everything working fine except when anonymous writes a file it always gets the permissions 600. No matter what I do to the anon_umask it stays the same. Does anyone have any idea how to change this and make it upload a file with different permissions?

i am using Fedora Core 3 and installed VSFTPD, but when i try to check my FTP server i always get 500 OOPS: Could not bind listening IPv4 socket. I have followed the steps to setup VSFTPD but still i got this error, What could be my problem?

Check your vsftpd.conf file. If the command "listen=YES" is not commented out, then comment it out. For some reason, the example file seems to enable it by default. When enabled, it can only run in the "stand-alone" mode, not from xinetd.

I had the same problem. Dont know why, the ipconfig-firewall closed port 20 & 21 to the inner systen. (SUSE 9.2 prof) Guard from inner system (or how it is called like in English) is NOT activated.

Solution: Do NOT open the ports 20 & 21 in the experts-firewall-settings. Does not work.
You have to type there "ftp" - and make your vsftpd listen to your inner system only (if you want it to), using listen_at=(IP) in standalone-mode.

My FTP root was not readable, so vsftpd would start, but I couldn't get it to allow anonymous uploads, no matter what I did. I looked for hours for the answer! Why is it not spelled out a little more clearly in the docs?? Why do you have to look at an Oracle Manual to find an obvious VSFTPD config issue??

Markus, you have HUGE props in my book for putting that info down...too bad it took a few hours of goolge, change config, get frustrated, repeat before I came across this post.

I think I'll drop by vsftpdrocks.org and relay this info. Thanks again.

Gah! I am also trying to get anonymous to be able to write. I have got this working on one fedora8 box, but on another fedora8 I cannot get it to allow me to write, the clues on the non-working machine are :